6

As I understand, to "Authenticate" means to prove you are who you claim to be. To be "Authorized" means that you have permission to do the operation you are attempting.

Why then, in the RFC for HTTP authentication, do you authenticate (prove you are who you say you are) via a header called 'Authorization'? You are not proving that you are allowed to do a certain operation.

The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm...

...If the user agent wishes to send the userid "Aladdin" and password "open sesame", it would use the following header field:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
everybody
  • 328
  • 1
  • 9

1 Answers1

8

a) The actual RFC is 7235, not 2617.

b) I assume it's a historic mistake. That's the best answer I have (note that I'm one of the authors of the newer RFC)

Julian Reschke
  • 40,156
  • 8
  • 95
  • 98
  • Thank you! On a similar vein, do you think the response 401 "Unauthorized" would make more sense as 401 "Unauthenticated"? At least, in this context. – everybody Feb 08 '17 at 01:14